You’ve done it.
After months of nagging, security awareness training, and constant reminders, your employees have started reporting phishing emails. Take a moment to pat yourselves on the back, because this is no mean feat.
But… now what? What do you actually do with all these reported emails?
First of all, you need to get your priorities straight.
Eyes on the Prize
Let’s be clear on this.
There is only one reason to have your employees report phishing emails: To prevent breaches from happening, and minimize the damage when they do occur.
Of course there are plenty of things you can do with reported phishing emails, and we’ll be going through several of them in this post. But every action you take should be designed to bring you closer to this ultimate goal.
With that out of the way…
Search and Destroy
The most obvious use for reported phishing emails is incident response.
If one of your employees has reported an email, there’s a good chance other people have received one too. By identifying every user who’s been exposed, you can minimize the immediate risk to your assets.
To do this, you’ll need to analyze… and quickly.
In order to be truly effective, reported emails and attachments need to be analyzed in near real-time by a combination of expert personnel, malware analysis tools, and threat intelligence systems.
Assuming you have these resources available to you, nearly everything about a reported phishing email is fair game. Modern technology has made life much easier for your assailants, but you’ll still usually find a lot of repetition in their emails.
Subjects, sender names, formatting, body text, links, attachments… even host IPs are often repeated many times in large-scale phishing campaigns, and it’s even more likely in targeted spear phishing attacks. By quickly analyzing the content and meta data of a reported email, you’re giving yourself the best possible chance of identifying exposed users and preventing escalation.
But of course, there’s always the possibility that it’s too late for that. If one of your employees has already opened and acted on a similar email, you’ll need to start damage control.
If it’s a social engineering campaign, and there’s no malware involved, you may have caught it in time to prevent (or at least minimize) any damage. If there is malware involved, however, you’ll need to conduct detailed analysis to help you identify any possible damage or compromise to your assets.
Vitally, you’ll need to quickly identify whether any software or command and control (C2) infrastructure has been setup inside your network, and eliminate it as quickly as possible.
Assuming you manage all this, the immediate threat will generally be over… but that doesn’t mean your work is done.
Better Every Day
Believe it or not, there is a side-benefit to being targeted by phishing attacks.
If you’re an organization that takes cyber security seriously, you’ll no doubt be conducting regular vulnerability scans and risk assessments to ensure your systems and data remain safe. But if a phishing attack comes along that does find it’s way into user inboxes, that’s an opportunity for you to tighten up your email security controls and security awareness training program to prevent similar attacks in the future.
Equally, if the attack includes malware or social engineering tactics that enjoy any form of success, you can prepare for future attacks by using that information to help tighten internal controls such as user access levels.
Now of course, it would be better to find and remove these weaknesses via your threat intelligence platform, regular vulnerability scans, and a bit of creative internal hunting. But, assuming this attack has been efficiently contained, hasn’t it at least helped you make your organization more secure?
So stop looking so glum. Just think of it as a free penetration test, and make sure you learn this valuable lesson.
Feed Your Referral Machine
You’ve contained the threat, and learned your lessons the hard way… but you still aren’t quite done. There’s one more sliver of value to be squeezed out of reported phishing emails, and it comes in the form of metrics.
By analyzing the average time taken to report potential phishing emails, along with their content, you’ll have all the ammunition you need to constantly update and improve your security awareness training. From realistic examples to learning points and top tips, recently reported emails are easily the best source of fresh training content.
And, lest we forget, there are the false positives. You thought we’d forgotten, didn’t you?
False positives are a thorny problem. You don’t want to put people off reporting, but the sheer volume of false positives can make life very difficult, dramatically increasing your response and containment times.
By comparing false positives to actual phishing emails you can not only improve your training materials, you can also enhance your approach to prioritizing reports.
Does a particular employee keep sending over false positives? Are certain types of legitimate emails being reported on a regular basis? Perhaps you’ll find that most real phishing emails have certain characteristics that aren’t shared by false positives.
Whatever you find out, use it to inform the way you react to referrals. Your life (and response times) will be much improved.
Use It or Lose It
Too often organizations ask their employees to report suspected phishing emails, but never do anything with them. Or at least, that’s how it seems to the employees.
Never let this happen at your organization. If your employees decide there’s no point in reporting because nothing will be done, your reports will dry up overnight.
It’s vital that you keep people informed.
Update your security awareness training regularly, send out reminder emails, personally thank people when they get it right… do whatever you have to do to make sure everybody understands that phishing is an ongoing and serious problem.
It is, after all, and you’re going to need your employees on-side if you hope to combat it successfully.
Learn more about fighting back against spear phishing attacks. Download the CISO's Guide to Spear Phishing Protection.